IT Governance Underscores UK Cyber-Attack Risk

The UK National Security Strategy's escalation of Cyber threats to a tier 1 risk is given further weight by IT Governance which links the cyber attack threat with other security risks

The information security experts of IT Governance are highlighting cyberattack as the dominant threat to UK security, and urging the public and private sectors to strengthen their defences.

Alan Calder, Chief Executive of IT Governance, says: 'The new UK National Security Strategy identifies cyberattack as a Tier 1 threat, the highest level of risk, alongside international terrorism, international military crises and major accidents or natural hazards. In fact, we at IT Governance think cyberattack stands alone. After all, international terrorists have an identifiable cyber capability, and any international military crisis is likely to carry a significant element of cyber threat. And, given that the information we need to respond to almost any major national incident [such as a flu pandemic] is stored electronically, the risk of cyberattack permeates that entire Tier 1 list.

'But, in many ways,' continues Calder, 'you could say the greatest threat is not cyberattack itself but complacency. There are still organisations with a reckless disregard for information security. No one would go out and leave their front door wide open for fear of burglars; yet too many organisations leave their electronic doors open all the time.'

Calder continues: 'There are weapons to fight cyberattacks, but not everybody uses them properly, if at all. The foundation of cybersecurity is the ISO27001 information security management standard, the most significant international best practice standard available to any organisation seeking an organised and structured framework for addressing cyber risks. And if you want to ensure the strongest possible information and communications infrastructure, you should also be implementing the UK's standards for business continuity and resilience - BS25999, BS25777 and ISO24762.'

Calder warns: 'Many organisations seem to think it makes sense to implement ISO27001 without ever seeking external certification. But the increased focus, at a national level, on responding appropriately to cyber risks clearly undermines this approach. Increasingly, organisations will want to know that their supply chain is resilient against cyberattack. Supplier audits can consume a lot of time, and an accredited ISO27001 certificate is clear evidence that an organisation has taken proper security steps, and has obtained independent verification that these steps are in line with recognised international best practice.'

Calder concludes: 'In the art of war, knowing your enemy is key. We know the people behind cyberattacks will always be looking for new ways to breach defences. So we need to constantly upgrade those defences to keep ahead. It's a contradiction in terms - but we have to fight back first.'